| 1 |
On Fri, Feb 10, 2012 at 12:29 PM, Pandu Poluan <pandu@××××××.info> wrote: |
| 2 |
> |
| 3 |
> On Feb 11, 2012 12:16 AM, "Michael Orlitzky" <michael@××××××××.com> wrote: |
| 4 |
>> |
| 5 |
>> On 02/10/12 11:46, Pandu Poluan wrote: |
| 6 |
>> > |
| 7 |
>> > On Feb 10, 2012 10:08 PM, "Mick" <michaelkintzios@×××××.com |
| 8 |
>> > <mailto:michaelkintzios@×××××.com>> wrote: |
| 9 |
>> >> |
| 10 |
>> >> > > |
| 11 |
>> >> > > The need: a VPN client that: |
| 12 |
>> >> > > + can selectively send packets fulfilling a criteria (in this |
| 13 |
>> > case, dest= |
| 14 |
>> >> > > IP address of internal server)* |
| 15 |
>> >> |
| 16 |
>> >> As far as I know typical VPNs require the IP address (or FQDN) of the |
| 17 |
>> >> VPN |
| 18 |
>> >> gateway. If yours changes because ISP A goes down then the tunnel |
| 19 |
>> > will fail |
| 20 |
>> >> and be torn down. |
| 21 |
>> |
| 22 |
>> I must have missed the original message. OpenVPN can do this. Just |
| 23 |
>> specify multiple "remote vpn.example.com" lines in your client configs, |
| 24 |
>> one for each VPN server. |
| 25 |
>> |
| 26 |
>> It also handles updating the routing table for you. Rather than match |
| 27 |
>> "IP address of internal server," it will match "IP address on internal |
| 28 |
>> network" and route through the VPN automatically. |
| 29 |
>> |
| 30 |
> |
| 31 |
> I'm still torn between OpenVPN and HAproxy. The former works with both TCP |
| 32 |
> and UDP, while the latter is lighter and simpler but works with TCP only*. |
| 33 |
> |
| 34 |
> *The traffic will be pure TCP, but who knows I might need a UDP tunnel in |
| 35 |
> the future. |
| 36 |
> |
| 37 |
> Any experience with either? |
| 38 |
> |
| 39 |
> Do note that I don't actually need a strong security (e.g. IPsec); I just |
| 40 |
> need automatic failover *and* fallback. |
| 41 |
|
| 42 |
We're not using multiple internet connections to the same network |
| 43 |
where I work, but we do use UDP-based OpenVPN to connect a few |
| 44 |
networks. |
| 45 |
|
| 46 |
TCP OpenVPN connections are very, very bad, IMO. With a TCP VPN, you |
| 47 |
easily break systems' TCP stacks' link bandwidth estimation. I once |
| 48 |
had a 30s ping time, because the pipe was hogged and backlogged from a |
| 49 |
mail client synchronizing. |
| 50 |
|
| 51 |
-- |
| 52 |
:wq |
Archives